The database of Bulgaria’s National Revenue Agency (NRA), which was hacked over the weekend and sent to local reporters, is now being shared on hacking forums, ZDNet has learned from sources in the threat intelligence community.
Download links to the hacked database have been shared by a hacked data trader known as Instakilla, believed to be operating out of Bulgaria.
ZDNet obtained a copy of the database and verified its authenticity with local sources, and this is a copy of the same database sent to local media over the weekend.
The database contains 57 folders, 10.7 GB in size, and holds personal and financial information consistent with what Bulgarian newspapers reported receiving over the weekend.
This includes personally identifiable information, tax information, from both the NRA, and from other government agencies who shared their data.
Instakilla, the data trader who published the database online for everyone to download, has not responded to a request for comment.
This threat actor has been known to share hacked data for years. He previously advertised data belonging to gaming forums and thousands of selfies of Bulgarian citizens holding up their IDs for some sort of authentication procedure.
An older version of Instakilla’s website was being used years ago to sell cocaine, and even linked to a Facebook profile — although it is unclear if this person, a Bulgarian man, is behind the Instakilla persona, or has been framed.
Suspected hacker arrested and then released
In the meantime, the investigation into the NRA hack has advanced in Bulgaria. In a statement on its website, the agency said the hack took place 20 days ago, not years before, as the hacker claimed; and the hacker only accessed 3% of its systems.
Local media initially reported that the hacker stole the data of five million citizens, around 70% of the country’s population. These numbers were later downgraded, as reports said the data also included the details of foreigners and deceased persons.
Bulgarian police arrested a 20-year-old suspect on Wednesday, July 17, but he was released earlier today.
According to a Dnevnik report, the suspect, a computer expert from the city of Plovdiv, had illegally copied data from the NRA’s servers, but not the data that was involved in the recent hack. Either way, he still faces between five to eight years in prison, along with a fine.
In the meantime, Bulgarian Interior Minister Mladen Marinov continues to push the idea that Russian hackers are behind the security breach, as the NRA database was hacked after Bulgarian authorities announced the purchase of US-made F-16 fighter jets.
Related government coverage: